PKI NSS Certificate CLI - dogtagpki/pki GitHub Wiki
The pki nss-cert commands can be used to manage certificates in an NSS database.
To list certificates in NSS database:
$ pki nss-cert-find
Availability: Since PKI 11.1.
To display certificate info:
$ pki nss-cert-show caadmin Nickname: caadmin Serial Number: 0x844a78e9c0c7567b80da5343fb049110 Subject DN: CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE Issuer DN: CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE Not Valid Before: Wed Aug 02 18:18:40 CDT 2023 Not Valid After: Tue Jul 22 18:18:40 CDT 2025 Trust Flags: u,u,u
To display certificate info in JSON format:
$ pki nss-cert-show caadmin --output-format json
{
"nickname" : "caadmin",
"serialNumber" : "0x844a78e9c0c7567b80da5343fb049110",
"subjectDN" : "CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE",
"issuerDN" : "CN=CA Signing Certificate,OU=pki-tomcat,O=EXAMPLE",
"notBefore" : 1691018320000,
"notAfter" : 1753226320000,
"trustFlags" : "u,u,u"
}
To import a certificate into NSS database:
$ pki nss-cert-import [nickname] \
--cert <filename> \
--trust <attributes>
Availability: Since PKI 10.9.
To export a certificate from NSS database:
$ pki nss-cert-export <nickname>
To remove a certificate from the internal token in NSS database:
$ pki nss-cert-del <nickname>
To remove a certificate from HSM, prepend the nickname with the token name: <token>:<nickname>.
To remove the key of the certificate, specify a --remove-key option.
Availability: Since PKI 11.5.